Breached Password Playbook

Adversaries can use password-based authentication as a target for attacks against your tenant. Below is for identifying and investigating potential attacks and taking the required remediation actions to protect users and minimize further risks.

When considering a response, first sift through the log messages of interest to identify potential attacks. For example, the attack may be coming from a limited set of IPs or from a single autonomous system number (ASN) or country.

The following Auth0 tenant log event types are relevant when investigating a brute force attack.

Attackers often employ brute force techniques (TT1110) when trying to breach password authentication, using collections of bots to guess passwords and sign up with reused credentials to test user accounts.

Most commonly employed by unsophisticated adversaries, password guessing (TT1110.001) attackers come in with little prior knowledge of your tenant’s policies and repeatedly attempt to guess passwords in an attempt to access accounts. Since attackers are merely guessing whether a user exists with an unknown password, you will see a flood of fp, fu and fcoa events in your Auth0 log events.

Adversaries employ password spraying (TT1110.003) as an opportunistic attack en masse when attempting to gain access to legitimate user accounts. Since attackers achieve their goals by trying commonly-used passwords, these attacks will frequently result in tripping Auth0’s brute force protections. Much like password guessing attacks, a high number of fp, fu and fcoa events in your logs are the best way to see whether attackers are attempting password spraying attacks.

If your tenant uses passwords without requiring an additional factor, credential stuffing (TT1110.004) is the most effective brute force attack technique. These attacks take advantage of password leaks and reuse by attempting to log in to a victim’s account using a dictionary of leaked passwords. Credential stuffing attacks frequently generate fp events (because the attackers are more likely to know a user exists) and pwd_leak events (because attackers are attempting to log in using breached credentials).

A comprehensive strategy balances your business's risk tolerance and technical capabilities with the experience your users will have when they sign in. When responding, consider two main factors:

• User friction: evaluate the impact of mitigation measures (e.g. CAPTCHA frequency, passkey requirements, or MFA) on user experience.

• Technical capacity: assess your ability to implement IP blocking, WAF rules, and MFA enforcement.

Auth0 recommends a layered security approach that combines multiple mitigation techniques for optimal protection. Below are Auth0's recommendations:

• Turn on Bot Detection and block compromised credentials, up to and including requiring MFA for potentially compromised accounts.

• Activate CAPTCHA for one or more flows and increase CAPTCHA frequency as needed, but remember that CAPTCHA is a deterrent, not a solution. For more information about bot detection, read the Bot Detection playbook.

• Change your CAPTCHA provider if attackers bypass your current CAPTCHA or consider migrating to Auth0's Auth Challenge or another supported provider.

• Change your web application firewall rules using an edge provider or use tenant access control lists to block abusive IPs, autonomous system numbers, geographic locations, TLS clients, or HTTP header elements like user-agent strings.

• Tighten Brute Force and Suspicious IP thresholds to reduce allowed connection limits and mitigate brute-force attacks.

• Disable stateless endpoints susceptible to credential stuffing attacks by modifying your Cross-Origin Authentication settings.